Idea would be too - to perform a whois-query only if there is "invalid state" popping up in the line of the scrolling syslog.

Thank you for your contributions. I have learnt something by your codes. Often the solutions are looking easier than thought like here - cause I thought it would be more difficulty. I think with recent contribution of enzotib then this question is solved already now.

+1 for the answer, but I don't see the reason to apply 10 times whois $IP, if the same IP appear 10 times in /var/log/syslog (like is here: paste.ubuntu.com/5859332). Most probably the result of whois one_specific_ip will not change in the near future.
–
Radu RădeanuJul 10 '13 at 4:42

@enzotib yes true - forgot to say this in question about a little built-in alert-modus. When there is an 'alien' ping or an 'alien' request then syslog list it with announcing "foreign address" in line.
–
dschinn1001Jul 10 '13 at 18:22

@enzotib sorry - not "foreign address" is popping up then - instead it is "invalid state" popping up !
–
dschinn1001Jul 10 '13 at 21:33

@dschinn1001: see if the modified answer satisfies your new requirement.
–
enzotibJul 11 '13 at 6:25

Maybe the following code is a suitable starting point for you. It probably isn't the optimal solution, but it does its job.

It consists of a for loop over all lines of output of the command within $(). In each iteration of the loop, one line of output is stored in the variable IP. Then, in the loop, the whois command is called with $IP - the content of the variable IP - as argument.

The brackets $() enclose two grep commands - the first one is searching for IP addresses with SRC= written in front of them and the second one takes the output of the first one (via a pipe |) and just takes the IP address. The -o flag of grep causes it to only output the matched part of the lines instead of the full lines.

The regular expression is also not very elegant yet. It is searching for three groups, each consisting of one to three digits and a dot, followed again by one to three digits. To keep the script readable, I chose to use -E extended regular expressions. The "normal" grep command would require a backslash in front of every round and curly bracket...